Furthermore, the policy also suggests that corporations bear the costs and the responsibility for keeping indiscriminate vast archives of data, most with virtually no business use, that actually should not be considered business records in the first place.

Added:

>>

I don't understand the premise of this draft. Whether companies use
cryptographic means of communication within their business to which
government agencies don't have cleartext access before the issuance
of a subpoena is not at all related to whether companies use forms
of internal communication designed to leave no records that can be
the subject of subpoena. To tell companies that FCPA compliance
requires record-keeping, and that use of record-destroying software
is incompatible with compliance requirements and can get you in
trouble is not part of any "responsible cryptography" policy.

So I don't understand the "prosecutorial discretion in aid of
policy" angle, because I don't understand the factual predicate.
But the angle wouldn't make much sense to me even if I understood
the predicate, because I don't think anyone ever doubted that
prosecutorial discretion is a policy tool, whether used by actual
prosecutors or by agencies like FTC and EPA that are structured as
quasi-prosecutorial entities with power to initiate coercive
litigation as their primary tool. Nor do you doubt what you make
the subject of the essay, so it's a "march up the hill to march down
again" sort of story.

The route to improvement, I think, would be a clarification of the
issue at stake. What is surprising in any way about the FCPA
notice? If it said, you can get in trouble for routine mass
shredding of documents, would the issue not be the same?

Prosecutorial Discretion and the Crypto Wars

I. Introduction

The U.S. Department of Justice opened another front in the “Crypto Wars” in November 2017 by introducing a new prosecutorial policy intended to steer companies away from “software that generate but do not appropriately retain business records or communications.”

On the surface, the policy language deals with the retention of corporate records for anti-corruption compliance programs. But attentive readers readily identified the Department’s concern with self-destructing software and encryption, following the sharp increase in use of technology that prevents law enforcement access to devices and communications (the “going dark” problem).

This essay questions whether the use of prosecutorial compliance program policy is a legitimate means to advance the government’s “responsible encryption” pitch and highlights some unwarned disadvantages of corporate adherence to the government’s proposal.

II. Discussion

A. The legitimacy of using prosecutorial discretion to advance policy

This essay was elicited by a new Department of Justice policy in connection with the Foreign Corrupt Practices Act (“FCPA”), a statute enacted in 1977 with the purpose to crack down on bribery of foreign government officials and political parties. In essence, this new policy promises leniency to companies that self-disclose actual or potential violations of the FCPA, as long as certain requirements are met.

Among such requirements, the United States Attorneys’ Manual at 9-47.120(3)(c) now asks companies to timely and appropriately remediate FCPA matters by adopting “[a]ppropriate retention of business records, and prohibiting the improper destruction or deletion of business records, including prohibiting employees from using software that generates but does not appropriately retain business records or communications”.

United States Attorneys answer to the Executive Branch of federal government. The executive is led by the President, who pursuant to Article II of the Constitution must “take care that the laws be faithfully executed”. One of the many sides of this constitutional duty and power of the President is his or her absolute control over what cases government attorneys bring and what charges they file.

For many policy and practical reasons, the government often makes use of the power not to prosecute in order to achieve some larger goals. The particular goal, however, varies in accordance with the social, political, legal and factual context in consideration. Tt is largely a consensus among legal professionals that the U.S. criminal justice system would simply collapse without plea bargains and pre-trial settlements. In fact, researchers report that 97% of all federal criminal convictions in 2017 resulted from guilty pleas instead of trials.

One prosecutor might dismiss a criminal complaint against a person with a terminal disease for humanitarian reasons. Another prosecutor may choose to charge a lesser offence against a young, misdirected first-time offender. Yet another prosecutor can offer a plea deal to one person in order to obtain statements and documents against a larger criminal organization. In every one of these cases, the underlying policy and practical considerations vary, but the ultimate source of constitutional governmental power is the same.

Therefore, in light of the doctrines of separation of powers, prosecutorial discretion and precedent on the impossibility of Judiciary review, the conclusion is that the constitution and the laws currently afford the federal government with a legitimate power to advance its policy agenda by means of using prosecutorial discretion.

B. The disadvantages to forgo self-destructing software and encryption

The FCPA Corporate Enforcement Policy is probably a pilot of further changes in the way the Department assesses the effectiveness of compliance programs in other areas. As the government advances its policy, more companies are likely to endeavor to approximate their corporate policies and procedures to the standards advocated by the Department.

Weak cryptography or exceptional access for encrypted devices also mean that corporate networks would be further vulnerable to theft, electronic espionage, hacking and surveillance by foreign or national powers and private agents. For most big businesses and smaller businesses with sensitive data, these risks seem to be unacceptable to take.

Furthermore, given the ever-growing text-based communication culture of the twenty-first century, requiring the maintenance of a system that considers any communication within the corporation as a business record is on its face excessive and capable of chilling employee use of corporate communication channels. Not all communications are, or should be considered, business records.
Corporations are expected to assume the costs and responsibility for keeping monumental volumes of internal data with virtually no business use in exchange for a far-fetched promise of leniency that depends on an array of factors, some entirely outside of their control, while bearing the legal and reputational accountability for data treatment and security breaches.

III. Conclusion

The Department of Justice is legitimately using prosecutorial discretion as a tool to advance its “responsible encryption” agenda and push back against self-destructing software and encryption, trying to guarantee that corporate records and communications are readily accessible for law enforcement purposes.

However, the unwarned consequences of this particular policy are corporate networks further vulnerable to theft, electronic espionage, hacking and surveillance.

Furthermore, the policy also suggests that corporations bear the costs and the responsibility for keeping indiscriminate vast archives of data, most with virtually no business use, that actually should not be considered business records in the first place.

<--

You are entitled to restrict access to your paper if you want to. But we all derive immense benefit from reading one another's work, and I hope you won't feel the need unless the subject matter is personal and its disclosure would be harmful or undesirable.
To restrict access to your paper simply delete the "#" character on the next two lines:

Note: TWiki has strict formatting rules for preference declarations. Make sure you preserve the three spaces, asterisk, and extra space at the beginning of these lines. If you wish to give access to any other users simply add them to the comma separated ALLOWTOPICVIEW list.

This site is powered by the TWiki collaboration platform. All material on this collaboration platform is the property of the contributing authors. All material marked as authored by Eben Moglen is available under the license terms CC-BY-SA version 4.